From 63ebd41c6c88cedc39a70079a70580027836eabd Mon Sep 17 00:00:00 2001
From: Dzmitry Lemechko <dzmitry.lemechko@elastic.co>
Date: Mon, 21 Oct 2024 13:41:00 +0200
Subject: [PATCH] [kbn-test] error message if MFA is enabled for test account
 (#196906)

## Summary

Recently few engineers reported issues when running FTR **locally**
against MKI project on QA env. It turned out MFA was enabled for the
test cloud accounts, that breaks automatic login to the Cloud.

This PR checks response for `mfa_required: true` and fails without
retrying asking to disable MFA for test account.

---------

Co-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com>
---
 packages/kbn-test/src/auth/saml_auth.test.ts | 30 ++++++++++++++++++++
 packages/kbn-test/src/auth/saml_auth.ts      | 10 +++++++
 2 files changed, 40 insertions(+)

diff --git a/packages/kbn-test/src/auth/saml_auth.test.ts b/packages/kbn-test/src/auth/saml_auth.test.ts
index 47c4724a8b6a3..aee096bf141d6 100644
--- a/packages/kbn-test/src/auth/saml_auth.test.ts
+++ b/packages/kbn-test/src/auth/saml_auth.test.ts
@@ -168,6 +168,36 @@ describe('saml_auth', () => {
         'Failed to create the new cloud session, check retry arguments: {"attemptsCount":0,"attemptDelay":100}'
       );
     });
+
+    test(`should fail without retry when response has 'mfa_required: true'`, async () => {
+      axiosRequestMock.mockImplementation((config: AxiosRequestConfig) => {
+        if (config.url?.endsWith('/api/v1/saas/auth/_login')) {
+          return Promise.resolve({
+            data: { user_id: 12345, authenticated: false, mfa_required: true },
+            status: 200,
+          });
+        }
+        return Promise.reject(new Error(`Unexpected URL: ${config.url}`));
+      });
+
+      await expect(
+        createCloudSession(
+          {
+            hostname: 'cloud',
+            email: 'viewer@elastic.co',
+            password: 'changeme',
+            log,
+          },
+          {
+            attemptsCount: 3,
+            attemptDelay: 100,
+          }
+        )
+      ).rejects.toThrow(
+        'Failed to create the new cloud session: MFA must be disabled for the test account'
+      );
+      expect(axiosRequestMock).toBeCalledTimes(1);
+    });
   });
 
   describe('createSAMLRequest', () => {
diff --git a/packages/kbn-test/src/auth/saml_auth.ts b/packages/kbn-test/src/auth/saml_auth.ts
index 0ec264d66d425..968788371c827 100644
--- a/packages/kbn-test/src/auth/saml_auth.ts
+++ b/packages/kbn-test/src/auth/saml_auth.ts
@@ -134,7 +134,17 @@ export const createCloudSession = async (
                 data[key] = 'REDACTED';
               }
             });
+
+            // MFA must be disabled for test accounts
+            if (data.mfa_required === true) {
+              // Changing MFA configuration requires manual action, skip retry
+              attemptsLeft = 0;
+              throw new Error(
+                `Failed to create the new cloud session: MFA must be disabled for the test account`
+              );
+            }
           }
+
           throw new Error(
             `Failed to create the new cloud session: token is missing in response data\n${JSON.stringify(
               data